Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

I am unable to place each ASA's logs into a separate file, so I am hoping for some other solution.My ESA data, which did not contain my Ironport host-names, was separated into separate files, based on host-name, but I cannot do that here.

BTW, my individual ASA hosts are showing up as "dvc", but this field is not in use for my reporting, and I really do not want to rewrite all of the great reports that CSS provides.

1 Answer

Maybe the answer here can help you out. Although it is a different problem, the solution could work for you as well: you just set the host field explicitly to what is transmitted as host in the syslog data.

Unfortunately, I'm not really knowledgable about ASA configuration, but a quick look at the docs says this only changes the format of the log, not the verbosity. Was the guide specifically written for logging ASA into splunk, or is that a general guide? Either way, you could try it and see how the logs look in the new format. If the EMBLEM format places the host value in the syslog data, the above mentioned method could allow you to extract it.

Is there something else in the raw data coming from the ASA that you could use to identify the actual host?

Yes, I've re-written the searching to use "dvc" versus "host", and all of the canned reports are now behaving as expected, and showing individual ASA's.

I am going to reconfigure my ASA's this weekend to use format emblem, and I will see if that resolves this matter; if now I will leave this as is.

On another note, is there a way to associate "dvc" to "host" somehere in my local directory, versus having to rewrite searches? The reason I am asking is to avoid something breaking in future app upgrades.

If you wanted me to answer your question, yes there is a way to set the host field - it's the method mentioned in the link above. If your data contains some information on "dvc", why don't you just use the method mentioned there to set the host field to the value of dvc?

I just had a look at the configuration in that app myself, so no need to post them any more. I still think you can just add a configuration to set the host value as suggested in my initial answer by adding something like this to your props.conf: